When people talk about supply chain security, "our mind always goes to the spy story," but the "James Bond worthy" claim by Bloomberg – that malicious chips had been fitted to Supermicro motherboards* supplied to US companies and government agencies – is "a distraction," Sophos principal research scientist Chester Wisniewski told iTWire.
There are many types of supply chain attacks that are really happening, he said, and they all prey on organisation's inherent trust of their suppliers.
For example, 22 municipalities in Texas were hit in one night by ransomware via a service provider they all used, and a similar thing happened to more than 400 dental practices in the US.
If an attacker successfully phishes just one employee at a service provider, that can put all of the company's clients at risk.
Another opportunity for attackers is opened up through bespoke software development and deployment.
Pre-built Docker containers are widely reused, for instance when setting up web servers. "We have blind faith in these containers [and associated software]," Wisniewski said, so criminals are booby-trapping them.
Similarly, extensive use is made of certain open source libraries, giving attackers another route for covertly introducing malicious code into otherwise legitimate applications.
"This has always been a problem with open source," he said.
The trick, Wisniewski suggested, is for an attacker to identify a library that isn't being actively maintained.
Such libraries do not need to be very widely used in order to be a worthwhile target: an "audience" of 10,000 users is sufficiently attractive, he said.
That's just two types of supply chain attack. But what steps can organisations take to protect themselves?
Phishing attacks can be effectively eliminated by using two-factor authentication, so it makes sense to ensure that your service providers are using 2FA.
The code and container problem isn't so easy to deal with.
Sophos uses a lot of outside libraries, Wisniewski said, and has adopted a two-step strategy to minimise the associated risks.
Firstly, it carries out a code audit before adopting a new version of a library. That's not a simple task, but should be within the capabilities of developers who use that library.
Secondly, it only adopts new versions that address specific, relevant vulnerabilities. Criminals generally promote feature updates rather than security updates, he observed.
This significantly reduces the number of audits required. If you only take two updates a year, you can afford the time required, he suggested.
In the wake of the long-standing Heartbleed flaw in OpenSSL, some big companies invested in auditing the most commonly used libraries and packages, so criminals find smaller targets so their changes are less likely to be noticed, according to Wisniewski.
When it comes to containers, you could build your own in the time it takes to audit the contents of a prefabricated container, so that is his recommended approach.
In one case, there was nothing wrong with a malicious container apart from the fact that a criminal had installed their own SSH key, allowing them to log into any instance of that container.
"It's a difficult challenge," he said.
While there are some centralised distribution points (eg, Docker for containers and Github for open source projects), large organisations seem reluctant to reveal whether any particular version has passed their audit process, possibly fearing reputational loss if someone discovers an issue they overlooked.
However, cloud services such as AWS and Azure are heavily audited and employ some of the best security people in the world, so it makes sense to use their libraries and containers, Wisniewski suggested.
He drew a parallel with the way some of the major app stores vet software before releasing it: "we know they're not perfect... but they're pretty darned good."
Another advantage of app stores is that they provide a central point where a piece of software found to be malicious can be 'recalled'.
Improved patching habits mean that where browsers were once exploited in around 80% of attacks, that has now fallen to approximately 10%, so criminals are turning to other approaches.
"Most of us are hit by opportunistic attacks" rather than being specifically identified, he said, so making sure you're not an easy target substantially reduces the chance of being affected.
It's the old story: if your doors are locked and your neighbours' aren't, you're less likely to be burgled even though locks don't provide 100% protection.
Similarly, countermeasures against supply chain exploits generally aim to increase criminals' cost of doing business by eliminating or at least greatly reducing the number of easy targets.
* Although the Bloomberg claim has been widely discredited, last month a security researcher revealed a proof of concept that showed how less than US$200 worth of equipment could be used to fit a US$2 chip to a Cisco firewall in order to take remote control of the device.